Lave SESSIN-ID i php

Du laver et session id med php funktionen: session_id();

hvordan ser dit login script ud?

Viln gerne have noget sikkert, når man logger idn. Som ikke kan ændres- liegsom en cookie.

Jeg ved der er et sikkerhedshul, kan b are ikke finde det.

// START

<?php

$stylesheet = '<link href="http://www.enetonline.dk/style.css" rel="stylesheet" type="text/css">';


session_start();

echo $stylesheet;
include 'config.php';

$connection = @mysql_connect($hostname, $user, $pass)
or die(mysql_error());
$dbs = @mysql_select_db($database, $connection) or
die(mysql_error());

$sql = "SELECT * FROM $userstable WHERE username = '$_POST[username]' AND password = '$_POST[password]'";
$result = @mysql_query($sql,$connection) or die(mysql_error());
$num = @mysql_num_rows($result);

if($_GET['bruger'] == logaf) {
session_destroy();
header ("Location: http://www.enetonline.dk/login/index.php?action=signout");
}




if ($num != 0) {
$cookie_name = "auth";
$cookie_value = "fook!$_POST[username]";
$cookie_expire = "0";
$cookie_domain = $domain;

setcookie($cookie_name, $cookie_value, $cookie_expire, "/", $cookie_domain, 0);
$_SESSION['online'] = TRUE;




}

ob_start();
if(isset($_SESSION['online']))
{
$stylesheet = "<style>
.knap
{
font-face: tahoma;
font-size: 8pt;
display: block;
height: 15px;
color: black;
border-style: solid;
border-color: black;
border-width: 0;
}
.knap:hover
{
font-family: tahoma;
font-size: 11px;
text-decoration: none;
color: #FFFFFF;
height: 13px;
border-width: 1px;
background-position: 50%;
background-image: url('http://www.enetonline.dk/index.phptemplates/news_bg.gif');
}
</style>";
echo $stylesheet;

echo "<body bgcolor=\"#F2F2F2\"><table cellpadding=\"0\" cellspacing=\"0\" height=\"20\" width=\"100%\" align=\"left\">
    <tr>
        <td height=\"30\" width=\"16%\" class=\"knap\">
        <a class=\"knap\" target=_top href=http://www.enetonline.dk/login/nyheds_poster.php?side=opret>Opret nyhed</a></td><tr>
        <td height=\"30\" width=\"16%\" class=\"knap\">
        <a class=\"knap\" target=_top href=http://www.enetonline.dk/login/nyheds_poster.php?side=alle>Se nyhederne</a></td><tr>
        <td height=\"30\" width=\"16%\" class=\"knap\">
        <a class=\"knap\" target=_top href=http://www.enetonline.dk/login/community.php>Community</a></td><tr>
        <td height=\"30\" width=\"16%\" class=\"knap\">
        <a class=\"knap\" target=_top href=http://www.enetonline.dk/login/members.php>Se alle medlemmer</a></td><tr>
        <td height=\"30\" width=\"16%\" class=\"knap\">
        <a class=\"knap\" target=_top href=http://www.enetonline.dk/login/profile.php>Ændre din profil</a></td><tr>
        <td><br><br></td><tr>
        <td height=\"30\" width=\"16%\" class=\"knap\">
        <a class=\"knap\" target=_top href=http://www.enetonline.dk/login/login_hojremenu.php?bruger=logaf>Log ud</a> </td><tr>
    </tr>
</table>";
die;
ob_end();

}
else
{
echo "<form action=\"http://www.enetonline.dk/login/login_hojremenu.php\" method=\"POST\">";
echo "&nbsp;&nbsp;Brugernavn: <br>&nbsp;&nbsp;<input type=\"text\" name=\"username\" size=\"20\" style=\"font-size: 8pt; font-family: Tahoma\"><br>";
echo "&nbsp;&nbsp;Password:  <br>&nbsp;&nbsp;<input type=\"password\" name=\"password\" size=\"20\" style=\"font-size: 8pt; font-family: Tahoma\"><br>";
echo "<br>&nbsp;&nbsp;<input type=\"submit\" value=\"Login!\" style=\"font-size: 8pt; font-family: Tahoma\">";
echo "</form>";
echo "• <a target=_top href=\"http://www.enetonline.dk/login/register.php\">Opret konto</a>";
echo "<br> • <a target=_top href=\"http://www.enetonline.dk/login/reset.php\">Glemt bruger & password</a>";
echo "<br> • <a target=_top href=\"http://www.enetonline.dk/login/passwordreset.php?step=1\">Nulstil dit password!</a></font><br><br>";
}



?><body bgcolor="#F2F2F2">

// SLUT

hvor i den kode beskytter du dig mod SQL injection ?